It will come as no surprise to long-time readers of this page (or others
who have followed embedded device security), but recent reports
of the "first Linux botnet" are making the subject of router/modem security
more visible to the general public. As we have reported previously, embedded,
network-facing devices make tempting targets. It appears that a botnet
herder noticed that and is trying to take advantage of Linux-based
Perhaps the most surprising part about the attack is the simplicity of the
vulnerability it is exploiting. As far as anyone has found "psyb0t", as
the botnet is known, just brute forces username/password pairs over telnet,
ssh, or http. The earliest
research [PDF] of the
botnet was from January; at that time it was only known to be exploiting a
particular ADSL modem (Netcomm NB5) that, at one time, had non-existent
its WAN-facing administrative web interface.
More recently, DroneBL found more
infected routers when investigating a distributed denial of service
(DDOS) against its servers. The botnet is targeting Linux devices using
the mipsel (MIPS little-endian) architecture, which includes many
Linux-based home routers. OpenWRT,
DD-WRT, and other projects all provide
Linux-mipsel firmware for a variety of potentially vulnerable devices.
Once the infecting program gets access to the device, it downloads the
botnet code and disables access to the device via telnet, ssh, or http.
While its method of getting access is simple, the botnet code itself is very
capable. It connects to a command and control IRC channel (#mipsel) on a
particular host under the control of the botnet herder. Commands on that
order the botnet nodes to do various denial of service attacks, scan for
vulnerable MySQL and phpMyAdmin sites and subvert them, port scan
particular hosts, update the botnet
code, and more. The IRC channel has shut down with a message indicating
that psyb0t was strictly a research project by someone known as DRS. The
message also claimed that no DDOS or phishing was done and that the botnet
reached 80,000 nodes.
While it may well be that the danger of this particular threat has passed,
the more general issue of router, especially home router, security
persists. A fully capable, always-on Linux device is a very attractive
target for botnet herders or other types of attackers. Trying to put
together a botnet of Linux desktops and servers might be a much more
difficult task as there is a much wider diversity of distributions and
kernel versions, as well as different architectures and configurations. To
a great extent, the Linux-based home router landscape is much more
homogeneous, as psyb0t has shown.
Clearly default and/or weak passwords are a serious problem—not just
for Linux-based devices—but it would not be surprising to find that
vulnerabilities (such as authentication
bypass) are available on many of these devices. Unlike a simple
password change, those kinds of flaws require an update to the router
firmware, which, in turn, requires users to know about the problem and
understand where to get—and how to apply—the code to fix it.
This is certainly a problem we have not seen the last of.
to post comments)